An attack on a traitor tracing scheme

Jeff Jianxin Yan, Yongdong Wu

July 2001, 14 pages

Abstract

In Crypto’99, Boneh and Franklin proposed a public key traitor tracing
scheme, which was believed to be able to catch all traitors while not
accusing any innocent users (i.e., full-tracing and error-free).
Assuming that Decision Diffie-Hellman problem is unsolvable in Gq, Boneh
and Franklin proved that a decoder cannot distinguish valid ciphertexts
from invalid ones that are used for tracing. However, our novel pirate
decoder P3 manages to make some invalid ciphertexts distinguishable
without violating their assumption, and it can also frame innocent user
coalitions to fool the tracer. Neither the single-key nor arbitrary
pirate tracing algorithm presented in [1] can identify all keys used by
P3 as claimed. Instead, it is possible for both algorithms to catch none
of the traitors. We believe that the construction of our novel pirate
also demonstrates a simple way to defeat some other black-box traitor
tracing schemes in general.